Skip to primary navigation Skip to content
Learn More About the CHIPS and Science Act
report a concern
October 07, 2011

GAO Report Raises Concerns About DHS Oversight of Its Data Mining Programs and Violations of Privacy Protocols

(Washington, DC)  -- Congressman Brad Miller, Ranking Member of the Subcommittee on Energy & Environment and Ms. Donna F. Edwards, Ranking Member of the Subcommittee on Investigations & Oversight today released a new Government Accountability Office (GAO) report that reviewed Department of Homeland Security (DHS) data mining programs for both their effectiveness and compliance with privacy policies. 

The GAO report, “DATA MINING: DHS Needs to Improve Executive Oversight of Systems Supporting Counterterrorism,” covers datamining practices in six separate DHS counterterrorism programs in three DHS agencies, including Customs and Border Protection (CBP) and Immigration and Customs Enforcement (ICE).  Together, these programs cost an estimated $2 billion.

Data mining is a technique used to extract useful information from large volumes of data and is used by DHS to help identify or detect potential terrorist threats. The GAO review looked at both pattern-based data mining programs that seek to identify unusual behavior that could be associated with criminal or terrorist behavior as well as less controversial subject-based data mining programs that use a specific subject, such as a suspected terrorist’s name or address, to help identify associations or other information about the individual.

One of the most disturbing findings by the GAO involved an ICE program that violated the policies in place designed to protect the privacy of citizens.  The Immigration and Customs Enforcement Pattern Analysis and Information Collection (ICEPIC) program has been used “to identify non-obvious relationship patterns among individuals and organizations that are indicative of violations of customs and immigration laws or terrorist threats,” according to DHS.  Yet, one month after ICEPIC was deployed in January 2008 a new program component that had not been reviewed or approved by the DHS privacy office, called the Law Enforcement Information Sharing (LEIS) Service was rolled out.  This component allows for  information to be shared outside the agency with local and state agencies.  GAO found that the new component specifically violates the DHS Privacy Impact Assessment created for the program.

In its review, the GAO found that some DHS data mining programs failed to evaluate the quality of the data these data mining systems rely upon, one program failed to have the design of its system reviewed by the DHS Chief Information Officer (CIO), and ICEPIC failed to update its program’s Privacy Impact Assessment (PIA) more than three years after the program had been expanded to share sensitive personal information with local, state and federal officials. 

Mr. Brad Miller, Ranking Member of the Subcommittee on Energy & Environment, said: “Government data mining should have tough-minded oversight if we’re going to keep Americans safe from terrorism, avoid wasting tax dollars on one boondoggle technology after another, and protect the privacy of innocent Americans.  The intelligence community has to stop using the legitimate need for some secrecy in counter-terrorism to hide from oversight, and Congress needs to get over our ‘gee-whiz’ attitude when we deal with the intelligence community,” he said.  

“It is alarming that DHS needed GAO to point out that the agency’s data mining program has been violating its own privacy protocols for more than three years by sharing sensitive personal information with local, state, and federal officials,” said Donna F. Edwards, Ranking Member, Subcommittee on Investigations and Oversight.  As a result of GAO’s findings the DHS Chief Privacy Officer has begun an investigation into the ICEPIC program and DHS concurred with five other recommendations offered by the GAO to improve DHS oversight, evaluation and privacy protections of its counterterrorism data mining programs in general.

One change that will come from this review is that, for the first time the DHS Chief Privacy Officer will now include an unclassified abstract of Privacy Impact Assessments in an annex to its Annual Report to Congress that lists PIAs that have been “either redacted in part or withheld from publication” due to national security considerations.  Furthermore, DHS will make these restricted PIAs available to Members of Congress for review.  In response to the GAO report, DHS said there were “very few unpublished PIAs,” but it did acknowledge that some did exist. In the future, Congress will have more insight into these programs.

In its evaluation, GAO used a framework established by the National Academy of Sciences in 2008 to assess DHS counterterrorism related data mining programs for both effectiveness and compliance with relevant privacy protections.  None of the programs reviewed by GAO performed all of the key activities associated with an effective evaluation framework as outlined by the National Academy of Sciences and other best practices used by GAO.

The GAO cited three key challenges for DHS, including reviewing and overseeing data mining systems once they are in operation, implementing acquisition policies throughout the department and ensuring that these systems have up-to-date privacy reviews.  “Until DHS addresses these challenges,” GAO found, “it will be limited in its ability to ensure that its systems have been adequately reviewed, are operating as intended, and are appropriately protecting individual privacy and assuring transparency to the public.”  As a result, GAO concluded, “DHS and its component agencies risk developing and acquiring systems that do not effectively support their agencies’ mission and do not adequately ensure the protection of privacy-related information.”

“DATA MINING: DHS Needs to Improve Executive Oversight of Systems Supporting Counterterrorism,” GAO-11-742, September 2011, available here: https://www.gao.gov/new.items/d11742.pdf